Welcome to Gone Phishing, your weekly cybersecurity newsletter that refuses to recognise hackers as biological humans 👀🙈🤣

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Apple, the cybercriminals are no match… for your patch! 🩹

You’re the Apple of my eye 🍎👁️🙃

🚨 Apple Drops Critical Security Patches After Sophisticated Attacks Detected 🍏🔥

If you're rocking an iPhone, iPad, Mac, Apple TV, or Vision Pro, it’s update o’clock ⏰🔧 Apple just patched two serious zero-day vulnerabilities being actively exploited in the wild—yes, right now.

🚨 Here’s what’s been fixed:

CVE-2025-31200 (CVSS 7.5)

💥 Core Audio flaw – Can be triggered by a malicious audio stream (yup, just playing a tainted media file could let an attacker run code) 🎵💀

CVE-2025-31201 (CVSS 6.8)

🛠️ RPAC component bypass – If an attacker already has read/write access, this bug could help them sneak past Pointer Authentication 🚨🔓

🧠 Apple says these were used in "extremely sophisticated attacks against specific individuals" — think spyware, nation-state level stuff. Reported in part by Google’s Threat Analysis Group.

🔧 Fixes include:

✅ Improved bounds checking (for the audio bug)

✅ Removed the vulnerable code entirely (for the RPAC bypass)

📦 These updates are now live for:

📱 iOS & iPadOS 18.4.1 – iPhone XS & newer, various iPads

💻 macOS Sequoia 15.4.1

📺 tvOS 18.4.1

👓 visionOS 2.4.1

💡 Reminder: Apple has now patched 5 actively exploited zero-days in 2025—so this isn’t rare, it’s the new normal. Past issues have let bad actors:

Escalate privileges via Core Media

Disable USB lock protections

Escape the Safari/WebKit sandbox

🔐 What you should do:

✅ Update now—even if you think you’re not a target

✅ Be cautious with suspicious media files or shady links

✅ Keep auto-updates turned on across all Apple devices

🛡️ Bottom line: These bugs were being used in the wild—that means real people were targeted. Whether you're a journalist, business exec, or just privacy-conscious, staying updated is the easiest way to block these high-level threats.

Stay sharp, stay patched. 🍏⚔️

Now, on to this week’s hottest cybersecurity news stories: 

• 🖱️ ClickFix up look sharp: state-sponsored hackers weaponise ClickFix 👾

• 🤑 Crypto users targeted w/ Node.js malware via fake Binance, TradingView 🌐

• 🕵🏻 Agent Tesla (no relation), XLoader deployed via .JSE and PoweShell 🐚

Jim’ll ClickFix it 💀💀💀

Giphy

🚨 ClickFix Goes Global: Nation-State Hackers Join the Malware Trend 🎯

Iran, North Korea, and Russia are now deploying a sneaky social engineering trick called ClickFix to infect targets across the globe — and it's working.

📅 Between late 2024 and early 2025, at least four state-sponsored groups used this technique in phishing campaigns targeting think tanks, governments, and defense contractors.

🛠️ What is ClickFix?

ClickFix is a crafty method where hackers trick victims into infecting themselves by copying and pasting "fixes" — actually malicious PowerShell commands — into their systems.

It often pretends to:

●      Fix system errors ⚠️

●      Verify your device ✅

●      Download legit-looking documents 📄

👥 Who’s Using It?

Proofpoint linked the activity to these groups:

🍜 TA427 (aka Kimsuky – North Korea)

🐪 TA450 (aka MuddyWater – Iran)

🐻 TA422 (aka APT28 – Russia)

🕵️ UNK_RemoteRogue (suspected Russian group)

🕵️‍♂️ TA427: The Diplomat Trick

🎯 Target: Think tanks focused on Korean affairs

● Pretended to be a Japanese diplomat 🏯

● Sent meeting invites & a malicious PDF

● Led victims to a fake embassy site with “instructions”

● ClickFix chain installed Quasar RAT 🐀

🔧 TA450: Fake Microsoft Fix

🎯 Target: Sectors in the U.A.E., Saudi Arabia, U.S., Canada, and Europe

● Emails timed with Patch Tuesday updates 📅

● Claimed users needed to fix a Windows vulnerability

● ClickFix chain installed Level RMM software, giving attackers full remote access 🖥️

● 🛰️ UNK_RemoteRogue: Defense Industry Espionage

🎯 Target: Two major defense orgs

● Phishing from compromised Zimbra servers

● Fake Microsoft Office file + YouTube tutorial

● Users were coached to paste PowerShell code

● Delivered malware using the Empire C2 framework 🔗

⚠️ Why It Matters

✔️ Simple for attackers, tricky for users

✔️ Bypasses some security software

✔️ Trusted by nation-states & cybercriminals alike

Proofpoint warns that more state-backed groups may start experimenting with ClickFix — if they haven’t already.

🔐 Pro Tip

Never copy and paste code from unsolicited emails or websites — no matter how official they look. If something seems off, it probably is.

Stay sharp. Don’t get ClickFixed. 🧠💻

Just say Node 😏

🚨 Malvertising Meets Node.js: Microsoft Warns of Evolving Malware Campaign 🧪

Microsoft is tracking a dangerous new malvertising campaign that weaponizes Node.js to steal information, exfiltrate data, and sneak past defenses — all under the guise of legitimate crypto trading apps.

📅 First spotted in October 2024, the campaign is still active and growing.

🎯 The Lure: Crypto Tools That Aren’t What They Seem

Victims are being tricked into downloading fake installers pretending to be from:

💰 Binance

📈 TradingView

These downloads are hosted on fraudulent sites designed to mimic the real thing.

Once executed, the installer drops a malicious DLL named CustomActions.dll.

🛠️ Behind the Scenes: What the Malware Does

Here’s how the infection unfolds:

📋 Info Harvesting: The DLL collects system data using WMI (Windows Management Instrumentation).

🕒 Persistence: A scheduled task is created to maintain long-term access.

💨 Smoke & Mirrors: The malware opens a real crypto trading site in a browser window via msedge_proxy.exe to look legit.

Meanwhile, PowerShell scripts are quietly running in the background to:

● Exclude the malware from Microsoft Defender scans

● Download more payloads from a remote server

● Collect extensive data (OS, BIOS, hardware, apps)

● Send it all to a command-and-control (C2) server via HTTPS

⚙️ Enter Node.js: Malware Masquerading as Web Code

The malware’s next act involves:

📦 Downloading a ZIP archive from the C2 server

🧪 Deploying the Node.js runtime and a compiled JavaScript file (.JSC)

🕸️ Using Node.js to make network connections and steal browser data

📌 Why Node.js? It’s open-source, widely used by devs, and runs JavaScript outside the browser — making it a perfect disguise for malware.

🧯 What You Can Do

❌ Never download software from unofficial sources — especially via ads

🛡️ Use endpoint protection that detects script-based malware

🧠 Be suspicious of "fix-it" instructions involving terminal commands

🔐 Protect credentials and enable strong 2FA methods

Malware is getting smarter — and more deceptive. Stay cautious, stay updated, and don't let your terminal become a trojan horse. 🧠💻💣

Tesla just can’t catch a break 😉😂😂

🚨 New Multi-Stage Malware Attack Chains: Agent Tesla, Remcos RAT, and XLoader 🧬

Researchers at Palo Alto Networks Unit 42 are warning about a sophisticated, multi-layered malware campaign delivering a cocktail of info-stealers and remote access trojans — including Agent Tesla, Remcos RAT, and XLoader.

📌 This isn't a smash-and-grab. It's a well-orchestrated, multi-stage attack chain designed to evade sandboxes, confuse analysts, and ensure payload delivery.

📥 It All Starts with a Phish

🗓️ First spotted in December 2024, the attack kicks off with a phishing email disguised as an order confirmation. The email claims a payment was made and urges the target to review an attached file — a malicious 7-Zip archive.

Inside the archive:

🧾 A .JSE (JavaScript Encoded) file — the ignition for the entire attack chain

Once launched, this file contacts an external server to download a Base64-encoded PowerShell script.

📦 Payload Decoding and Execution

Here’s what happens next:

🔐 The PowerShell script decodes the Base64 payload

💾 Writes the decoded payload to the Windows temp directory

🚀 Executes it, launching a new dropper stage

The second-stage dropper can be compiled in .NET or AutoIt, depending on the variant.

⚔️ Diverging Paths: .NET vs AutoIt Droppers

🔧 If .NET:

The malware decrypts and injects Agent Tesla / Snake Keylogger / XLoader into the memory of a legitimate Windows process: RegAsm.exe

🎭 If AutoIt:

● Adds another obfuscation layer

● The AutoIt script decrypts a payload that injects a .NET file into RegSvcs.exe, delivering Agent Tesla

💡 Goal: Make analysis harder while ensuring successful execution.

🧱 Layered Simplicity = Resilience

"The attacker’s focus remains on a multi-layered attack chain rather than sophisticated obfuscation,"

– Saqib Khanzada, Unit 42

By stacking basic techniques, the attackers build a resilient and stealthy infection flow, rather than relying on flashy obfuscation.

🛡️ Defensive Tips:

● Avoid opening files from unknown or suspicious emails

● Monitor for unexpected usage of system processes like PowerShell or RegAsm.exe

● Invest in behavioral detection and EDR tools

● Segment high-value assets from user workstations

Attackers aren’t just getting more technical — they’re getting more strategic. The more layers they add, the harder they are to peel back. 🧅💀

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

• 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

• 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

• 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!